Description of problem: Squid can't open connections to port 21 (and some other ports). This prevents browsing of FTP sites. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.18-12 (i.e. FC4 updates/testing) How reproducible: Always Steps to Reproduce: 1. Run squid under targeted policy. 2. Attempt to open FTP site. Actual results: Connection refused. Expected results: Should work and it does when SELinux is disabled. Additional info: Jun 18 14:09:30 beauty kernel: audit(1119067770.693:65): avc: denied { name_co nnect } for pid=2255 comm="squid" dest=21 scontext=system_u:system_r:squid_t tc ontext=system_u:object_r:ftp_port_t tclass=tcp_socket
If you set the boolean squid_connect_any It should work, although ftp_port_t should probably be added to squid for default.
OK, I'll try that and report back. It would make sense to make it a default though, just like you said. I'm also having trouble with dovecot since moving to FC4, as reported in 158583. The dovecot_disable_trans boolean wouldn't have anything to do with tcp ports, right?
This appears to be fixed in selinux-policy-targeted-1.23.18-17. One still does need to enable squid_connect_any if passive FTP is being used, but that seems OK, given that those ports cannot be predicted.